A deep inside look at digital security threats and human behavior through various verticals. “Business firms seem to have forgotten that hackers target human vulnerability and weakness to break the organization,” says Rohyt Belani, Co-founder and CEO, PhishMe. “According to Belani, 95 percent of the organizations use the wrong mechanism to ensure security and do not train humans to be vigilant about the attacks.”Read More

People are often curious about what percentage of users will fall for a phishing attack, and it’s tempting to try to create this kind of statistic. At PhishMe, we’ve found that trying to assign a blanket statistic is counterproductive – however this hasn’t stopped others in the industry from trying to do so. The most recent company to try is Intel Security (formerly McAfee), which declared that 97% of people globally were unable to correctly identify phishing emails. While this statistic certainly makes for a nice headline, it is broad-based and flawed in a number of ways.

With National Cyber Security Awareness month (NCSAM) upon us, the national spotlight is on best practices to stay safe and protect your data online. Thanks to the support of the National Cyber Security Alliance, Department of Homeland Security, and the White House , the month of October will feature a number of initiatives designed to increase the knowledge base about cyber security issues with the general population and promote DHS’ “Stop. Think. Connect.” program to empower individuals to be safer online. PhishMe is proud to participate by being a 2014 NCSAM champion, and have made a number of resources available to individuals looking to learn more about how to protect themselves from phishing, and to organizations trying to change their users’ behavior with more effective employee security training programs.

While the full implications from yesterday’s DoJ indictment of five Chinese hackers on charges of cyber crime are yet to be fully seen, these charges have already succeeded in elevating cyber crime from a niche discussion to an important debate in society at-large.

Furthermore, just as last year’s APT1 report did, the court documents provide a detailed glimpse at the tactics China is using to steal trade secrets from the world’s largest corporations (not surprisingly, phishing continues to be the favored attack method).

There has been a lot of media attention on this story, so we’ve put together a list of some of the most interesting content we’ve seen so far:

Watering-hole attacks have been established as an effective attack technique for a while now. As the industry has analyzed some prominent examples, many have come to the conclusion that watering-holes present an alternative to spear phishing.

“Targeted attacks no longer rely as heavily on spear-phishing attacks in order to penetrate an organization’s defenses. More recently the attackers have expanded their tactics to include watering-hole attacks, which are legitimate websites that have been compromised for the purpose of installing targeted malware onto the victim’s computer.”

Last week, we discussed how attackers can steal credentials without using malware through data-entry phishing. While this tactic is a common and highly effective technique, the latest report on Target alleges that Citadel, a password-stealing derivative of the ZeuS banking Trojan, was responsible for stealing login credentials from Target vendor Fazio Mechanical, which provided attackers with the foothold they needed in Target’s network.

A Target spokesperson confirmed last week that attackers initially gained access to the company systems through stolen credentials obtained through a vendor. While Target has not confirmed the exact method through which the credentials were stolen, one possible scenario is that attackers sent a spear-phishing email to the vendor, obtained valid login credentials for Target, and used those credentials to gain a foothold in Target’s network.

The holidays are a busy time for everyone… especially for hackers trying to phish your employees. Phishing is most effective when it exploits human emotions—fear, greed, anxiousness, curiosity, compassion, getting a good deal—and the holidays tend to bring these emotions out more than other times of the year. This gives adversaries a bevy of relevant topics to use to build phishing campaigns.

How can you ensure your employees are prepared for the onslaught of phishing attacks this holiday season? We’ve mentioned before that training your employees needs to be continuous, and if you have provided immersive security awareness training throughout the year, your employees will be more resilient to phishing attacks at all times. We’ve also noted the need to keep that continuous training fresh, and providing holiday themed training is a great way to provide training that is engaging and timely.

One of the interesting aspects of security awareness training is the intersection of information security with human resources. We know from experience that security practitioners are not always experts in the latter, but what we recently saw from Dave Clemente was a real doozy.

Clemente suggested that employees who engage in unsafe IT security behavior (such as clicking on phishing links) be reprimanded and that unsafe behavior should even negatively affect their performance review. To the security part of your mind, it might feel good to punish people for their security sins. We need to remember, however, that the ultimate goal of security is to protect a network, not give users a reason to DDoS it.

In their book, “Switch: How to Change Things When Change is Hard” authors Chip and Dan Heath examine how influencing humans to change requires appealing to two parts of the brain: the rational and the emotional. Since the emotional part of our brain often gets frustrated when asked to make huge changes, Chip and Dan recommend that we “shrink the change” to change behavior in the face of resistance.

The Heaths cite financial guru Dave Ramsey’s “Debt Snowball” strategy as an effective example of shrinking the change. For people mired in a mountain of debt, this strategy advocates paying off their smallest debts first – regardless of interest rates. Although this flies in the face of conventional financial wisdom, it is a lot easier for people to remain focused by paying off a $200 debt than it is to pay off $200 of a $20k debt. It’s easier for our brains to process manageable changes, and when we feel like change is manageable, we’re more likely to implement it.